Merge branch 'security_dblessing_impersonation_breakout' into 'master'

Prevent double-impersonation and impersonation breakout See merge request gitlab-org/security/gitlab!1797

Merge branch 'security_dblessing_impersonation_breakout' into 'master'
Prevent double-impersonation and impersonation breakout See merge request gitlab-org/security/gitlab!1797
715349d6 · GitLab Release Tools Bot · 1d8a236a · 780c8592 · 715349d6 · 715349d6
Commit 715349d6 authored Sep 29, 2021 by GitLab Release Tools Bot
4 changed files
--- a/app/controllers/admin/users_controller.rb
+++ b/app/controllers/admin/users_controller.rb
@@ -45,7 +45,7 @@ class Admin::UsersController < Admin::ApplicationController
  end

  def impersonate
-    if can?(user, :log_in)
+    if can?(user, :log_in) && !impersonation_in_progress?
      session[:impersonator_id] = current_user.id

      warden.set_user(user, scope: :user)
@@ -58,7 +58,9 @@ class Admin::UsersController < Admin::ApplicationController
      redirect_to root_path
    else
      flash[:alert] =
-        if user.blocked?
+        if impersonation_in_progress?
+          _("You are already impersonating another user")
+        elsif user.blocked?
          _("You cannot impersonate a blocked user")
        elsif user.internal?
          _("You cannot impersonate an internal user")

--- a/app/controllers/concerns/impersonation.rb
+++ b/app/controllers/concerns/impersonation.rb
@@ -20,7 +20,7 @@ module Impersonation
  protected

  def check_impersonation_availability
-    return unless session[:impersonator_id]
+    return unless impersonation_in_progress?

    unless Gitlab.config.gitlab.impersonation_enabled
      stop_impersonation
@@ -38,6 +38,10 @@ module Impersonation
    current_user
  end

+  def impersonation_in_progress?
+    session[:impersonator_id].present?
+  end
+
  def log_impersonation_event
    Gitlab::AppLogger.info("User #{impersonator.username} has stopped impersonating #{current_user.username}")
  end

--- a/locale/gitlab.pot
+++ b/locale/gitlab.pot
@@ -38545,6 +38545,9 @@ msgstr ""
 msgid "You are already a member of this %{member_source}."
 msgstr ""

+msgid "You are already impersonating another user"
+msgstr ""
+
 msgid "You are an admin, which means granting access to %{client_name} will allow them to interact with GitLab as an admin as well. Proceed with caution."
 msgstr ""


--- a/spec/controllers/admin/users_controller_spec.rb
+++ b/spec/controllers/admin/users_controller_spec.rb
@@ -815,5 +815,20 @@ RSpec.describe Admin::UsersController do
        expect(response).to have_gitlab_http_status(:not_found)
      end
    end
+
+    context 'when impersonating an admin and attempting to impersonate again' do
+      let(:admin2) { create(:admin) }
+
+      before do
+        post :impersonate, params: { id: admin2.username }
+      end
+
+      it 'does not allow double impersonation', :aggregate_failures do
+        post :impersonate, params: { id: user.username }
+
+        expect(flash[:alert]).to eq(_('You are already impersonating another user'))
+        expect(warden.user).to eq(admin2)
+      end
+    end
  end
 end